This is all handled by native HTTP authentication. If generic service endpoints are required to create users and associate users with roles/groups, then these can be created as required. Access control is handled through modification of the resource headers.